I covered the three classes of privacy in my previous post, peer privacy, provider privacy and authority privacy. Let’s take a closer look at one aspect of provider privacy, tracking of surfing habits.
(I just realized that I keep typing “Facebook, Google, etc.” over and over when writing about provider privacy and the big data companies. I’m tired of that so I will shorten it to Faceboogle.)
People feed huge amounts of private data into Faceboogle every day, and this data is used to create more and more accurate user profiles. But this is not the full picture. These companies collect data on you from other sources as well. Your surfing habits is something very interesting and can reveal a lot about you. But how can this data be collected? Your browser connects directly to the web sites you use and the traffic does not go through Faceboogle. So some clever tricks are needed.
Do you use the option to keep you logged in to Faceboogle? Convenient, isn’t it? Just open the browser and you can start Faceboogling right away. This is done through cookies in your browser, small pieces of data that identify you and enable Faceboogle to recognize you and continue the session when you return. These cookies are actually kept even if you log out, so Faceboogle knows who you are when you return even before you have logged in.
Another convenient thing is the small buttons you can use to like or share content. They can be found all over the web nowadays. Faceboogle has also made life convenient for web developers by providing them with ready code snippets that easily can be embedded in any web page and loaded from Faceboogle when needed.
It all turns sinister when these two features work together. Say, you go to your favorite news site. You browse through the recent articles and open some of them. All posts have a long row of like- and share-buttons. Each of these buttons are loaded from Faceboogle every time you view the page and the stored cookies tells Faceboogle who you are. What this means in practice is that every time you open a page with the buttons, Faceboogle can update your profile and store data about what kind of articles you find interesting. This makes web site owners part of the plot, the surfing habit data could not be collected without their help. They must include the Faceboogle buttons to make it work.
Some of you are probably smiling right now and looking at the upper part of the screen. Yes, we use them too. They are convenient and sort of a good service for the user.
Could we do something about it? Yes, there are several ways to mitigate the problem, but all approaches have their downsides. One obvious way would be to drop the buttons altogether. That’s a perfect solution to the privacy problem, but makes it hard to share and like the content. This is not really a good solution.
One approach is to load the buttons on demand. This means that they are grayed out when the page loads. They do not communicate with Faceboogle at this stage, and can’t reveal any data about you. Any button can be activated by a click, and a second click is needed to share or like the content. The first activating click will reveal your identity to Faceboogle and also fetch statistics about the page. One disadvantage with this approach is that you can’t see the share- and like-counters before you activate the button.
Another approach is to host all the graphic elements for the button locally. They look normal and can be used with a single click, but does still not reveal your identity to Faceboogle before you touch them. The main disadvantage is that the share- and like-statistics are missing completely in this solution.
As a security and privacy aware company we need to review the situation and possible do something about the buttons. But what strategy is the best? This depends a lot on the readers’ preferences. For this reason we will post a poll where we ask a couple of questions about your relation to the Faceboogle buttons. Stay tuned, the poll post will be up soon. Looking forward to hear what you really think about them.
The poll is published.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018